[Piwik-trac] [Piwik] #78: Check that printing GET parameters in the JS code is secure
Piwik
trac at piwik.org
Thu Jan 10 16:10:41 CET 2008
#78: Check that printing GET parameters in the JS code is secure
-----------------------+----------------------------------------------------
Reporter: matt | Owner:
Type: Task | Status: new
Priority: major | Milestone: DVNO
Component: Security | Version:
Resolution: | Keywords:
-----------------------+----------------------------------------------------
Old description:
> in [source:/trunk/modules/ViewDataTable.php] we load GET parameters
> values and print them in the javascript code to "forward" the values to
> the Javascript logic (used in the Jquery code).
>
> Is this safe? We use {{{Piwik_Common::getRequestVar()}}} to sanitize the
> value but is it safe enough? Or could some hijacking/xss/etc be possible
> here?
New description:
in [source:/trunk/modules/ViewDataTable.php] method
{{{getJavascriptVariablesToSet()}}} we load GET parameters values and
print them in the javascript code to "forward" the values to the
Javascript logic (used in the Jquery code).
Is this safe? We use {{{Piwik_Common::getRequestVar()}}} to sanitize the
value but is it safe enough? Or could some hijacking/xss/etc be possible
here?
--
Ticket URL: <http://dev.piwik.org/trac/ticket/78#comment:2>
Piwik <http://piwik.org>
Piwik, open source web analytics software
More information about the Piwik-trac
mailing list